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NATIONAL FOREWORD 

This Indian Standard (Part 5) which is identical with lEC 61508-5 : 1998 'Functional safety of 
electricai/electronic/programmable electronic safety-related systems — Part 5: Examples of methods 
for the determination of safety integrity levels' issued by the International Electrotechnical Commission 
(lEC) was adopted by the Bureau of Indian Standards on the recommendation of the Industrial 
Process Measurement and Control Sectional Committee and approval of the Electrotechnical Division 
Council. 

The text of lEC Standard has been approved as suitable for publication as an Indiari Standard without 
deviations. Certain conventions are, however, not identical to those used in Indian Standards. 
Attention is particularly drawn to the following: 

a) Wherever the words 'International Standard' appear referring to this standard, they should 
be read as 'Indian Standard'. 

b) Comma (,) has been used as a decimal marker, while in Indian Standards, the current 
practice is to use a point (.) as the decimal marker. 

In this adopted standard, references appear to certain International Standards for which Indian 
Standards also exist. The corresponding Indian Standards, which are to be substituted in their 
respective places, are listed below along with their degree of equivalence for the editions indicated: 



International Standard 



lEC 61508-1 : 1998 Functional safety 
of electrical/electronic/programmable 
electronic safety-related systems — 
Part 1: General requirements 

lEC 61508-2 : 2000 Functional safety 
of electrical/electronic/programmable 
electronic safety-related systems — 
Part 2: Requirements for electrical/ 
electronic/programmable electronic 
safety-related systems 

lEC 61508-3 : 1998 Functional safety 
of electrical/electronic/programmable 
electronic safety-related systems — 
Part 3: Software requirements 

lEC 61508-4 : 1998 Functional safety 
of electrical/electronic/programmable 
electronic safety-related systems — 
Part 4: Definitions and abbreviations 

lEC 61508-6 : 2000 Functional safety 
of electrical/electronic/programmable 
electronic safety-related systems — 
Part 6: Guidelines on the application of 
lEC 61508-2 and lEC 61506-3 



Corresponding Indian Standard 

IS/IEC 61508-1 : 1998 Functional safety of 
electrical/etectronic/programmable electronic 
safety-related systems: Part 1 General 
requirements 

IS/IEC 61508-2 : 2000 Functional safety of 
electrical/eiectronic/programmable electronic 
safety- related systems: Part 2 Requirements 
for electrical/ electronic/programmable 
electronic safety-related systems 

IS/IEC 61508-3 : 1998 Functional safety of 
electrical/electronic/programmable electronic 
safety-related systems: Part 3 Software 
requirements 

IS/IEC 61508-4 : 1998 Functional safety of 
electrical/electronic/programmable electronic 
safety- related systems: Part 4 Definitions 
and abbreviations 

IS/IEC 61508-6 : 2000 Functional safety of 
electrical/electronic/programmable electronic 
safety-related systems: Part 6 Guidelines on 
the application of lEC 61508-2 and lEC 
61508-3 



Degree of 
Equivalence 

Identical 



do 



do 



do 



do 
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International Standard 



lEC 61508-7 : 2000 Functional safety 
of electrical/electronic/programmable 
electronic safety-related systems — 
Part 7: Overview of techniques and 
measures 

ISO/IEC Guide 51 : 1990'> Guidelines 
for the inclusion of safety aspects in 
standards 



Corresponding Indian Standard 



IS/IEC 61508-7 : 2000 Functional safety of 
electrical/electronic/ programmable electronic 
safety-related systems: Part 7 Overview of 
techniques and measures 



IS/ISO/IEC Guide 51 : 2005 Safety aspects 
— Guidelines for the inclusion in standards 



Degree of 
Equivalence 

Identical 



Technically 
Equivalent 



The technical committee has reviewed the provisions of the following International Standard referred 
in this adopted standard and has decided that it is acceptable for use in conjunction with this 
standard: 



International Standard 
lEC Guide 104: 1997 



Hfe 

Guide to the drafting of safety standards and the role of Committees with 
safety pilot functions and safety group functions 



Only the English language text in the International Standard has been retained while adopting it in this 
Indian Standard, and as such the page numbers given here are not the same as in the lEC Standard. 

For the purpose of deciding whether a particular requirement of this standard is complied with, the 
final value, observed or calculated, expressing the result of a test, shall be rounded off in accordance 
with IS 2 : 1960 'Rules for rounding off numerical values (revised)'. The number of significant places 
retained In the rounded off value should be the same as that of the specified value in this standard. 



'' Since revised in 2005. 
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INTRODUCTION 

Systems comprised of electrical and/or electronic components have been used for many years 
to perform safety functions in most application sectors. Computer-based systems (generically 
referred to as programmable electronic systems (PESs)) are being used in all application 
sectors to perform non-safety functions and, increasingly, to perform safety functions. If 
computer system tecfinology is to be effectively and safely exploited, it is essential that those 
responsible for making decisions have sufficient guidance on the safety aspects on which to 
make those decisions. 

This International Standard sets out a generic approach for all safety lifecycle activities for 
systems compnsed of electrical and/or electronic and/or programmable electronic components 
(electrical/electronic/ programmable electronic systems (E/E/PESs)) that are used to perform 
safety functions. This unified approach has been adopted in order that a rational and consistent 
technical policy be developed for all electrically-based safety-related systems. A major 
objective is to facilitate the development of application sector standards. 

In most situations, safety is achieved by a number of protective systems which rely on many 
technologies (for example mechanical, hydraulic, pneumatic, electrical, electronic, 
programmable electronic). Any safety strategy must therefore consider not only all the 
elements within an individual system (for example sensors, controlling devices and actuators) 
but also all the safety-related systems making up the total combination of safety-related 
systems. Therefore, while this International Standard is concerned with electrical/elec- 
tronic/programmable electronic (E/E/PE) safety-related systems, it may also provide a 
framework within which safety-related systems based on other technologies may be 
considered. 

It is recognised that there is a great variety of E/E/PES applications in a variety of application 
sectors and covering a wide range of complexity, hazard and risk potentials. In any particular 
application, the required safety measures will be dependent on many factors specific to the 
application. This Standard, by being generic, will enable such measures to be formulated in 
future application sector international standards. 

This International Standard: 

- considers all relevant overall, E/E/PES and software safety lifecycle phases (for example, 
from initial concept, through design, implementation, operation and maintenance to 
decommissioning) when E/E/PESs are used to perform safety functions; 

- has been conceived with a rapidly developing technology in mind; the framework is 
sufficiently robust and comprehensive to cater for future developments; 

- enables application sector international standards, dealing with safety-related E/E/PESs, to 
be developed; the development of application sector international standards, within the 
framework of this International Standard, should lead to a high level of consistency (for 
example, of underlying principles, terminology elc.) both within application sectors and 
across application sectors; this will have both safety and economic benefits; 

- provides a method for the development of the safety requirements specification necessary 
to achieve the required functional safety for E/E/PE safety- related systems; 
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uses safety integrity levels for specifying the target level ol safety integrity for the safety 

functions to be innplemented by the E/E/PE safely-related systems; 

adopts a risk-based approach for the determination of the safety integrity level 
requirements; 

sets numerical target failure measures for E/E/PE safety-related systems which are linked 
to the safety integrity levels; 

sets a lower limit on the target failure measures, in a dangerous mode of failure, that can 
be claimed for a single E/E/PE safety-related system; for E/E/PE safety-related systems 
operating in: 

- a low demand mode of operation, the lower limit is set at an average probability of 
failure of 10-^ to perform its design function on demand; 

- a high demand or continuous mode of operation, the lower limit is set at a probability of 
a dangerous failure of 10-9 per hour; 

NOTE - A single E/E/PE safetyrelated system does not necessarily mean a single-channel archileclure 

adopts a broad range of principles, techniques and measures to achieve functional safety 
for E/E/PE safety-related systems, but does not use the concept of fail safe which may be 
of value when the failure modes are well defined and the level of complexity is relatively 
low. The concept of fail safe was considered inappropriate because of the full range of 
complexity of E/E/PE safety-related systems that are within the scope of the standard. 
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Indian Standard 

FUNCTIONAL SAFETY OF ELECTRICAL7 

ELECTRONIC/PROGRAMMABLE ELECTRONIC 

SAFETY-RELATED SYSTEMS 

PART 5 EXAMPLES OF METHODS FOR THE DETERMINATION OF SAFETY 

INTEGRITY LEVELS 

1 Scope 

1.1 This part of lEC 61508 provides information on 

- the underlying concepts of risk and the relationship of risk to safety integrity (see annex A); 

- a number of methods that will enable the safety integrity levels for the E/E/PE safety-related 
systems, other technology safety-related systems and external risk reduction facilities to be 
determined (see annexes B, C, D and E). 

1.2 The method selected will depend upon the application sector and the specific 
circumstances under consideration. Annexes B, C, D and E illustrate quantitative and 
qualitative approaches and have been simplified in order to illustrate the underlying pnnciples. 
These annexes have been included to illustrate the general pnnciples of a number of methods 
but do not provide a definitive account. Those intending to apply the methods indicated in these 
annexes should consult the source material referenced. 

NOTE - For more information on the approaches illustrated in annexes B, D and E, see references [4], [2] and [3] 
respectively in annex F. See also reference [5j in annex F for a description of an additional approach. 

1.3 Parts 1, 2, 3 and 4 of this standard are basic safety publications, although this status 
does not apply in the context of low complexity E/E/PE safety-related systems (see 3.4.4 of 
lEC 61508-4). As basic safety publications, they are intended for use by technical committees 
in the preparation of standards in accordance with the principles contained in lEC Guide 104 
and ISO/IEC Guide 51. One of the responsibilities of a technical committee is, wherever 
applicable, to make use of basic safety publications in the preparation of its own publications. 
lEC 61508 is also intended for use as a stand-alone standard. 

NOTE - In the USA and Canada, until the proposed process sector implementation of lEC 61508 (I e lEC 61511) 
is published as an international standard in the USA and Canada, existing national process safety standards based 
on lEC 61508 (i.e ANSI/ISA S84 01-1996) can be applied to the process sector instead of lEC 61508. 

1.4 Figure 1 shows the overall framework for parts 1 to 7 of lEC 61508 and indicates the role 
that lEC 61508-5 plays in the achievement of functional safety for E/E/PE safety-related 
systems. 
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Figure 1 - Overall framework of this standard 
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2 Normative references 

The following normative documents contain provisions which, through reference in this text, 
constitute provisions of this International Standard. At the time of publication, the editions 
indicated were valid. All normative documents are subject to revision, and parties to 
agreements based on this International Standard are encouraged to investigate the possibility 
of applying the most recent editions of the normative documents indicated below. Members of 
lEC and ISO maintain registers of currently valid International Standards. 

lEC 61508-1:1998, Functional safety of .electrical/electronical/programmable electronic safety- 
related systems - Part 1: General requirements 

lEC 61508-2, — Functional safety of electrical/electronical/programmable electronic safety- 
related systems - Part 2: Requirements for electrical/electronical/programmable electronic 
safety-related systems 1) 

lEG 61508-3:1998, Functional safety of electrical/electronical/programmable electronic safety- 
related systems - Part 3: Software requirements 

lEC 61508-4:1998, Functional safety of electrical/electronical/programmable electronic safety- 
related systems - Part 4: Definitions and abbreviations of terms 

I EC 61508-6, — Functional safety of electrical/electronical/programmable electronic safety- 
related systems - Part 6: Guidelines on the application of parts 2 and 3 1 ) 

I EC 61508-7, — Functional safety of electrical/electronical/programmable electronic safety- 
related systems - Part 7: Overview of tecfiniques and measures 1) 

ISO/IEC Guide 51:1990, Guidelines for ttie inclusion of safety aspects in standards 

lEC Guide 104:1 997, Guide to the drafting of safety standards, and the role of Committees with 
safety pilot functions and safety group functions 

3 Definitions and abbreviations 

For the purposes of this standard, the definitions and abbreviations given in part 4 apply. 



1) To be published. 
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Annex A 

(informative) 

Risk and safety integrity - General concepts 



A.I General 

This annex provides information on the underlying concepts of risk and the relationship of risk 
to safety integrity. 

A.2 Necessary risk reduction 

The necessary risk reduction (see 3.5.14 of lEC 61508-4) is the reduction in risk that has to be 
achieved to meet the tolerable risk for a specific situation (which may be stated either 
qualitatively!) or quantitatively2)). The concept of necessary risk reduction is of fundamental 
importance in the development of the safety requirements specification for the E/E/PE safety- 
related systems (in particular, the safety inieyrity requirements part of the safety requirements 
specification). The purpose of determining the toleratjie risk for a specific hazardous event is to 
state what is deemed reasonable with respect to both the frequency (or probability) of the 
hazardous event and its specific consequences. Safety-related systems are designed to reduce 
the frequency (or probability) of the hazardous event and/or the consequences of the 
hazardous event. 

The tolerable risk will depend on many factors (for example, severity of injury, the number of 
people exposed to danger, the frequency at which a person or people are exposed to danger 
and the duration of the exposure). Important factors will be the perception and views of those 
exposed to the hazardous event. In arriving at what constitutes a tolerable risk for a specific 
application, a number of inputs are considered. These Include: 

- guidelines from the appropriate safety regulatory authority; 

- discussions and agreements with the different parties involved in the application; 

- industry standards and guidelines; 

- international discussions and agreements; the role of national and international standards 
are becoming increasingly important in arriving at tolerable risk criteria for specific 
applications; 

- the best independent industrial, expert and scientific advice from advisory bodies; 

- legal requirements, both general and those directly relevant to the specific application. 



In achieving the tolerable risk, the necessary risk reduction will need to be established. Annexes D and E of 
lEC 61508-5 outline qualitative methods, although in the examples quoted the necessary risk reduction is 
Incorporated implicitly rather than stated explicitly. 

For example, that the hazardous event, leading to a specific consequence, shall not occur with a frequency 
greater than one in 10* h. 
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A.3 Role of E/E/PE safety-related systems 

E/E/PE safety-related systems contribute towards meeting the necessary risk reduction in order 
to meet the tolerable risk, 

A safety-related system both 

- implements the required safety functions necessary to achieve a safe state for the 
equipment under control or to maintain a safe state for the equipment under control, and 

- is intended to achieve, on its own or with other E/E/PE safety-related systems, other 
technology safety-related systems or external risk reduction facilities, the necessary safety 
integrity for the required safety functions (3.4.1 of lEC 61508-4). 

NOTE 1 - The first part of the definition spec fies that the safety-related system must perform the safety 
functions which would be specified in the safety functions requirements ipecification For example the safety 
functions requirements specification may state that when the temperalura reaches x, valve y shall open to allow 
water to enter the vessel 

NOTE 2 - The second part of the definition specifies that the safety functions must be performed by the safety 
related systems with the degree of confidence appropriate to the application, in order that the tolerable risk will 
be achieved. 

A person could be an integral part of an E/E/PE safety-related system. For example, a person 
could receive information, on the state of the EUC, from a display screen and perform a safety 
action based on this information. 

E/E/PE safety-related systems can operate in a low demand mode of operation or high demand 
or continuous mode of operation (see 3.5.12 of lEC 61508-4). 

A.4 Safety integrity 

Safety integrity is defined as the probability of a safety-related system satisfactorily performing 
the required safety functions under all the stated conditions within a stated period of time (3.5.2 
of lEC 61508-4). Safety integrity relates to the performance of the safety-related systems in 
carrying out the safety functions (the safety functions to be performed will be specified in the 
safety functions requirements specification). 

Safety integrity is considered to be composed of the following two elements. 

- Hardware safety integrity; that part of safety integrity relating to random hardware failures in 
a dangerous mode of failure (see 3.5.5 of lEC 61508-4). The achievement of the specified 
level of safety-related hardware safety integrity can be estimated to a reasonable level of 
accuracy, and the requirements can therefore be apportioned between subsystems using 
the normal rules for the combination of probabilities. It may be necessary to use redundant 
architectures to achieve adequate hardware safety integrity. 

- Systematic safety integrity; that part of safety integrity relating to systematic failures in a 
dangerous mode of failure (see 3.5.4 of lEC 61508-4). Although the mean failure rate due 
to systematic failures may be capable of estimation, the failure data obtained from design 
faults and common cause failures means that the distnbution of failures can be hard to 
predict. This has the effect of increasing the uncertainty in the failure probability 
calculations for a specific situation (for example the probability of failure of a safety-related 
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protection system). A judgement therefore has to be made on the selection of the best 
techniques to minimise this uncertainty. Note that it is not necessarily the case that 
measures to reduce the probability of random hardware failure will have a corresponding 
effect on the probability of systematic failure. Techniques such as redundant channels of 
identical hardware, which are very effective at controlling random hardware failures, are of 
little use in reducing systematic failures. 

The required safety integrity of the E/E/PE safety-related systems, other technology safety- 
related systems and external risk reduction facilities, must be of such a level so as to ensure 
that 

- the failure frequency of the safety-related systems is sufficiently low to prevent the 
hazardous event frequency exceeding that required to meet the tolerable risk, and/or 

- the safety-related systems modify the consequences of failure to the extent required to 
meet the tolerable risk. 

Figure A.1 illustrates the general concepts of risk reduction. The general model assumes that 

- there is an EUC and an EUC control system; 

- there are associated human factor issues; 

- the safety protective features comprise 

- external risk reduction facilities, 

- E/E/PE safety-related systems, 

- other technology safety-related systems. 

NOTE - Figure A 1 Is a generalised risk model to Illustrate the general principles. The risl< model for a specific 
application will need to be developed taking into account the specific manner in which the necessary risk reduction 
IS actually being achieved by the E/E/PE safety-related systems and/or other technology safety-related systems 
and/or external risk reduction facilities The resulting risk model may therefore differ from that shown in figure A.1. 

The various risks indicated in figure A.I are as follows: 

- EUC risk: the risk existing for the specified hazardous events for the EUC, the EUC control 
system and associated human factor issues - no designated safety protective features are 
considered in the determination of this risk (see 3.2.4 of lEC 61508-4); 

- tolerable nsk; the risk which is accepted in a given context based on the current values of 
society (see 3.1.6 of lEC 61508-4); 

- residual risk: in the context of this standard, the residual risk is that remaining for the 
specified hazardous events for the EUC, the EUC control system, human factor issues but 
with the addition of external risk reduction facilities, E/E/PE safety-related systems and 
other technology safety-related systems (see also 3.1.7 of lEC 61508-4). 

The EUC risk is a function of the risk associated with the EUC itself but taking into account the 
risk reduction brought about by the EUC control system. To prevent unreasonable claims for 
the safety integrity of the EUC control system, this standard places constraints on the claims 
that can be made (see 7.5.2.5 of lEC 61508-1). 

The necessary risk reduction is achieved by a combination of all the safety protective features. 
The necessary risk reduction to achieve the specified tolerable risk, from a starting point of the 
EUC risk, is shown in figure A.I . 
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Figure A.I - Risk reduction: general concepts 
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Figure A.2 - Risk and safety integrity concepts 
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A.5 Risk and safety integrity 

It is important that tne distinction between risk and safety integrity be fully appreciated. Risk is 
a measure of the probability and consequence of a specified hazardous event occurring. This 
can be evaluated for different situations (EUC risk, risk required to meet the tolerable risk, 
actual risk (see figure A.I)). The tolerable risk is determined on a societal basis and involves 
consideration of societal and political factors. Safety integrity applies solely to the E/E/PE 
safety-related systems, other technology safety related-systems and external risk reduction 
facilities and is a measure of the likelihood of those systems/facilities satisfactorily achieving 
the necessary risk reduction in respect of the specified safety functions. Once the tolerable risk 
has been set, and the necessary risk reduction estimated, the safety integrity requirements for 
the safety-related systems can be allocated (see 7.4, 7.5 and 7.6 of lEC 61508-1). 

NOTE - The allocation is necessarily iterative in order to optimize the design to meet the various requirements. 

The role that safety- related systems play in achieving the necessary risk reduction is illustrated 
in figures A.I and A.2. 

A.8 Safety integrity levels and software safety integrity levels 

To cater for the wide range of necessary risk reductions that the safety- related systems have to 
achieve, it is useful to have available a number of safety integrity levels as a means of 
satisfying the safety integrity requirements of the safety functions allocated to the safety- 
related systems. Software safety integrity levels are used as the basis of specifying the safety 
integrity requirements of the safety functions implemented by safety- related software. The 
safety integrity requirements specification should specify the safety integrity levels for the 
E/E/PE safety- related systems. 

In this standard, four safety integrity levels are specified, with safety integrity level 4 being the 
highest level and safety integrity level 1 being the lowest. 

The safety integrity level target failure measures for the four safety integrity levels are specified 
in tables 2 and 3 of lEC 61508-1. Two parameters are specified, one for safety-related systems 
operating in a low demand mode of operation and one for safety-related systems operating in a 
high demand or continuous mode of operation. 

NOTE - For safety-related systems operating in a low demand mode of operation, the safety integrity measure of 
interest is the probability of failure to perform its design function on demand. For safety-related systems operating 
in a high demand or continuous mode of operation, the safety integrity measure of interest is the average 
probability of a dangerous failure per hour (see 3.5.12 and 3.5.13 of lEC 61508-4). 

A.7 Allocation of safety requirements 

The allocation of safety requirements (both the safety functions and the safety Integrity 
requirements) to the E/E/PE safety- related systems, other technology safety- related systems 
and external risk reduction facilities is shown in figure A. 3 (this is identical to figure 6 of 
lEC 61508-1). The requirements for the safety requirements allocation phase are given in 7.6 
of lEC 61508-1. 

The methods used to allocate the safety integrity requirements to the E/E/PE safety-related 
systems, other technology safety-related systems and external risk reduction facilities depend, 
primarily, upon whether the necessary risk reduction is specified explicitly in a numerical 
manner or in a qualitative manner. These approaches are termed quantitative and qualitative 
methods respectively (see annexes B, C, D and E). 
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Figure A.3 - Allocation of safety requirements to the E/E/PE safety-related systems, 
other technology safety-related systems and external risk reduction facilities 



JS/IEC 61508-5: 1998 



Annex B 

(inforrnaiive) 

ALARP and tolerable risk concepts 



B.1 General 

This annex considers one particular approach to the achievement of a tolerable risk. The 
intention is not to provide a definitive account of the method but rather an illustration of the 
general principles. Those intending to apply the methods indicated in this annex should consult 
the source material referenced. 

B.2 ALARP model 
B.2.1 Introduction 

Subclause A. 2 outlines the mam tests that are applied in regulating industrial risks and 
indicates that the activities involve determining whether 

a) the risk is so great that it must be refused altogether, or 

b) the risk is, or has been made, so small as to be insignificant, or 

c) the risk falls between the two states specified in a) and b) above and has been reduced to 
the lowest practicable level, bearing in mmd the benefits resulting from its acceptance and 
taking into account the costs of any further reduction. 

With respect to c), the ALARP principle requires that any risk must be reduced so far as is 
reasonably practicable, or to a level which is as low as reasonably practicable (these last 
5 words form the abbreviation ALARP). If a risk falls between the two extremes (i.e. the 
unacceptable region and broadly acceptable region) and the ALARP principle has been applied, 
then the resulting risk is the tolerable risk for that specific application. This three zone 
approach is shown in figure B.1. 

Above a certain level, a risk is regarded as intolerable and cannot be justified in any ordinary 
circumstance. 

Below that level, there is the tolerability region where an activity is allowed to take place 
provided the associated risks have been made as low as reasonably practicable. Tolerable 
here is different from acceptable: it indicates a willingness to live with a risk so as to secure 
certain benefits, at the same time expecting it to be kept under review and reduced as and 
when this can be done. Here a cost benefit assessment is required either explicitly or implicitly 
to weigh the cost and the need or otherwise for additional safety measures. The higher the risk. 
the more proportionately would be expected to be spent to reduce it. At the limit of tolerability. 
expenditure in gross disproportion to the benefit would be justified. Here the risk will by 
definition be substantial, and equity requires that a considerable effort is justified even to 
achieve a marginal reduction. 

Where the risks are less significant, the less proportionately, need be spent to reduce them 
and at the lower end of the tolerability region, a balance between costs and benefits will suffice. 
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Below the tolerability region, the levels of risk are regarded as so insignificant that the regulator 
need not ask for further improvements. This is the broadly acceptable region where the risks 
are small in comparison with the everyday risks we all experience. While in the broadly 
acceptable region, there is no need for a detailed working to demonstrate ALARP; it is, 
however, necessary to remain vigilant to ensure that the risk remains at this level. 



Risk cannot be justified 
except in extraordinary 



Intolerable region 


\ / circumstances. 


The ALARP or f \ / Tolerable only if further risk 


tolerability region 


\ / reduction is impracticable or if its 
\ / cost is grossly disproportionate to 


(Risk is undertaken 


\ / the improvement gained. 


only if a benefit is 


\ / 


desired) 


\ / 




\ ^^^ As the nsk Is reduced, the less, 




\ ^^^W P''0P°i'°"a'6ly. It is necessa/y to spend to 
\ / ^ redi^ce it further to satisfy ALARP The 
\ / concept of diminishing proportion is shown 
\ / by the triangle. 


1 


\ \ 1 



Broadly acceptable region 

(No need for detailed working 
to demonstrate ALARP) 



It is necessary to maintain 
assurance that risk remains at 
this level. 



Negligible risk 



Figure B.I - Tolerable risk and ALARP 

The concept of ALARP can be used when qualitative or quantitative risk targets are adopted. 
Subclause B.2.2 outlines a method for quantitative risk targets. (Annex C outlines a 
quantitative method and annexes D and E outline qualitative methods for the determination of 
the necessary risk reduction for a specific hazard. The methods indicated could incorporate the 
concept of ALARP in the decision making.) 

NOTE - Further information on ALARP is given in reference [4] in annex F. 

B.2.2 Tolerable risk target 

One way in which a tolerable risk target can be obtained is for a number of consequences to be 
determined and tolerable frequencies allocated to them. This matching of the consequences to 
the totefatile frequencies would take place by discussion and agreement between the 
interested parties (for example safety regulatory authorities, those producing the risks and 
those exposed to the risks). 
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To take into account ALARP concepts, the matching of a consequence with a tolerable 
frequency can be done through risk classes. Table B.I is an example showing four risk classes 
(I, II, III, IV) for a number of consequences and frequencies. Table B.2 interprets each of the 
risk classes using the concept of ALARP. That is, the descriptions for each of the four risk 
classes are based on figure B.I. The risks within these risk class definitions are the risks that 
are present when risk reduction measures have been put in place. With respect to figure B.I, 
the risk classes are as follows: 

- risk class I is in the unacceptable region; 

- risk classes II and III are in the ALARP region, risk class II being just inside the ALARP 
region; 

- risk class IV is in the broadly acceptable region. 

For each specific situation, or sector comparable industries, a table similar to table B.1 would 
be developed taking into account a wide range of social, political and economic factors. Each 
consequence would be matched against a frequency and the table populated by the risk 
classes. For example, frequent in table B.I could denote an event that is likely to be continually 
experienced, which could be specified as a frequency greater than 10 per year. A critical 
consequence could be a single death and/or multiple severe injuries or severe occupational 
illness. 

Table B.I - Example of risk classification of accidents 



Frequency 


Consequence 


Catastrophic 


Critical 


Marginal 


Negligible 


Frequent 


1 


1 


1 


II 


Probable 


1 


1 


II 


III 


Occasional 


1 


II 


III 


III 


Remote 


II 


III 


III 


IV 


Improbable 


III 


III 


IV 


IV 


Incredible 


IV 


IV 


IV 


IV 


^40TE 1 - The actual population with risk classes 1, II, III and IV will be sector dependent and 
will also depend upon what the actual frequencies are for frequent, probable, etc. Therefore, 
this table should be seen as an example of how such a table could be populated, rather than 
as a specification for future use. 

NOTE 2 - Determination of the safety integrity level from the frequencies in this table is 
outlined in annex C. 



Table B.2 - Interpretation of risk classes 



Risk class 


Interpretation 


Class 1 


Intolerable risk 


Class II 


Undesirable risk, and tolerable only if risk reduction Is impracticable 
or If the costs are grossly disproportionate to the improvement gained 


Class III 


Tolerable risk if the cost of risk reduction would exceed the improvement 
gained 


Class IV 


Negligible risk 
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Annex C 

(informative) 



Determination of safety integrity levels: a quantitative method 



C.I General 

This annex outlines how the safety integrity levels can be determined if a quantitative approach 
is adopted and illustrates how the information contained in tables such as table B.I can be 
used. A quantitative approach is of particular value when: 

- the tolerable risk is to be specified in a numerical manner (for example that a specified 
consequence should not occur with a greater frequency than one in 10^ years); 

- numerical targets have been specified for the safety integrity levels for the safety-related 
systems. Such targets have been specified in this standard (see tables 2 and 3 of 
lEC 61508-1). 

This annex is not intended to be a definitive account of the method but is intended to illustrate the 
general principles. It is particularly applicable when the risk model is as indicated in figures A.I 
and A.2. 

C.2 General method 

The model used to illustrate the general principles is that shown in figure A.I. The key steps in 
the method are as follows and will need to be done for each safety function to be implemented 
by the E/E/PE safety-related system: 

- determine the tolerable risk from a table such as table B.I; 

- determine the EUC risk; 

- determine the necessary risk reduction to meet the tolerable risk; 

- allocate the necessary risk reduction to the E/E/PE safety-related systems, other 
technology safety- related systems and external risk reduction facilities (see 7.6 of 
lEC 61508-1). 

Table B.I is populated with risk frequencies and allows a numerical tolerable risk target (Ft) to 
be specified. 

The frequency associated with the risk that exists for the EUC, including the EUC control 
system and human factor issues (the EUC risk), without any protective features, can be 
estimated using quantitative risk assessment methods. This frequency with which a hazardous 
event could occur without protective features present (Fnp) is one of two components of the 
EUC risk; the other component is the consequence of the hazardous event. Fpp may be 
determined by 



- analysis of failure rates from comparable situations; 

- data from relevant databases; 

- calculation using appropriate predictive methods. 
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This standard places constraints on the minimum failure rates that can be claimed for the EUC 
control system (see 7.5.2.5 of lEC 61508-1). If it is to be claimed that the EUC control system 
has a failure rate less than these minimum failure rates, then the EUC control system shall be 
considered a safety-related system and shall be subject to all the requirements for safety- 
related systems in this standard. 

C.3 Example calculation 

Figured provides an example of how to calculate the target safety integrity for a single 
safety-related protection system. For such a situation 

PFDavg < F( / Fnp 

where 

PFD^yg is the average probability of failure on demand of the safety-related protection system, 
which is the safety integrity failure measure for safety-related protection systems 
operating in a low demand mode of operation (see table 2 of lEC 61508-1 and 3.5.12 
of lEC 61508-4); 

l| is the tolerable risk frequency; 

/^np is the demand rate on the safety-related protection system. 

Also in figure C.I: 

- C is the consequence of the hazardous event; 

- Fp is the risk frequency with the protective features in place. 

It can be seen that determination of Fpp for the EUC is important because of its relationship to 
PFDavg and hence to the safety integrity level of the safety-related protection system. 

The necessary steps in obtaining the safety integrity level (when the consequence C remains 
constant) are given below (as in figure C.I), for the situation where the entire necessary risk 
reduction is achieved by a single safety- related protection system which must reduce the 
hazard rate, as a minimum, from Fnp to Ft: 

- determine the frequency element of the EUC risk without the addition of any protective 
features (Fpp); 

- determine the consequence C without the addition of any protective features; 

- determine, by use of table B.I, whether for frequency Fnp and consequence C a tolerable 
risk level is achieved. If, through the use of table B.I, this leads to risk class I, then further 
risk reduction is required. Risk class IV or III would be tolerable risks. Risk class II would 
require further investigation; 

NOTE - Table B.I is used to check whether or not further risk reduction measures are necessary, since it may 
be possible to achieve a tolerable risk without the addition of any protective features. 

- determine the probability of failure on demand for the safety- related protection system 
(PFDavg) to meet the necessary risk reduction (Afl). For a constant consequence in the 
specific situation described, PFDavg = (^t I ^np) = Aff; 

- for PFDsvQ = (Ft / Fnp), the safety integrity level can be obtained from table 2 of lEC 61508-1 
(for example, for PFDgvg = 10-2 - 10-3, the safety integrity level = 2). 
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Risk(ff„p) = F„pxC 



Risk < R, 



EUC and the 

EUC control 

system 



■np 



where R^- F^y.C 



Safety-related protection syatem required to 
achieve the rtecessary risk reduction 




Necessary risk reduction (Afl) 



f- 



Safety integrity of safety-related protection system 
matched to the necessary risk reduction 



Figure C.1 - Safety integrity allocation: example for safety-related protection system 
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Annex D 

(informative) 

Determination of safety integrity levels - A qualitative method: 

risk graph 



D.I General 

This annex describes the risk graph method, which is a qualitative method that enables the 
safety integrity level of a safety- related system to be determined from a knowledge of the risk 
factors associated with the EUC and the EUC control system. It is particularly applicable when 
the risk model is as indicated in figures A.1 and A. 2. 

Where a qualitative approach is adopted, in order to simplify matters a number of parameters 
are introduced which together describe the nature of the hazardous situation when safety- 
related systems fail or are not available. One parameter is chosen from each of four sets, and 
the selected parameters are then combined to decide the safety integrity level allocated to the 
safety-related systems. These parameters 

- allow a meaningful graduation of the risks to be made, and 

- contain the key risk assessment factors. 

This annex is not intended to be a definitive account of the method but is intended to illustrate 
the general principles. Those intending to apply the methods indicated in this annex should 
consult the source material referenced. 

D.2 Risk graph synthesis 

The following simplified procedure is based on the following equation; 

R= fx C 

where 

R is the risk with no safety-related systems in place; 

f is the frequency of the hazardous event with no safety-related systems in place; 

C is the consequence of the hazardous event (the consequences could be related to harm 
associated with health and safety or harm from environmental damage). 

The frequency of the hazardous event / is, in this case, considered to be made up of three 
influencing factors: 

- frequency of, and exposure time in, the hazardous zone; 

- the possibility of avoiding the hazardous event; 

- the probability of the hazardous event taking place without the addition of any safety-related 
systems (but having in place external risk reduction facilities) - this is termed the 
probability of the unwanted occurrence. 
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This produces the following four risk pararr.eters: 

- consequence of the hazardous event [C); 

- frequency of, and exposure time in, the hazardous zone (F), 

- possibility of failing to avoid the hazardous event (P); 

- probability of the unwanted occurrence (W). 

D.3 Other possible risk parameters 

The risk parameters specified above are considered to be sufficiently generic to deal with a 
wide range of applications. There may, however, be applications which have aspects which 
require the introduction of additional risk parameters. For example, the use of new 
technologies in the EUC and the EUC control system. The purpose of the additional 
parameters would be to more accurately estimate the necessary risk reduction (see figure A.I). 

D.4 Risk graph implementation: general scheme 

The combination of the risk parameters described above enables a risk graph such as that 
shown in figure D.I to be developed. With respect to figure D.1; C/^< Cg < Cq < Cq, Fa. < Fq: 
Pa < ^b; Wt < W2< W3. An explanation of this risk graph is as follows. 

- Use of risk parameters C, F and P leads to a number of outputs Xi, X2, X3... Xn (the exact 
number being dependent upon the specific application area to be covered by the risk 
graph). Figure 0.1 indicates the situation when no additional weighting is applied for the 
more serious consequences. Each one of these outputs is mapped onto one of three scales 
(IVi, W2 and yVs). Each point on these scales is an indication of the necessary safety 
integrity that has to be met by the E/E/PE safety-related system under consideration. In 
practice, there will be situations when for specific consequences, a single E/E/PE safety- 
related system is not sufficient to give the necessary risk reduction. 

- The mapping onto Wi, W2 or IV3 allows the contribution of other risk reduction measures to 
be made. The offset feature of the scales for W-^, W2 and IV3 is to allow for three different 
levels of risk reduction from other measures. That is, scale IV3 provides the minimum risk 
reduction contributed by other measures (i.e. the highest probability of the unwanted 
occurrence taking place), scale IVg a medium contribution and scale IVi the maximum 
contribution. For a specific intermediate output of the risk graph (i.e. X-\, Xg... or Xg) and for 
a specific W scale (ie- W-\, IVj or W3) the final output of the risk graph gives the safety 
integrity level of the E/E/PE safety- related system (i.e. 1, 2, 3 or 4) and is a measure of the 
required risk reduction for this system. This risk reduction, together with the risk reductions 
achieved by other measures (for example by other technology safety-related systems and 
external risk reduction facilities) which are taken into account by the W scale mechanism, 
gives the necessary risk reduction for the specific situation. 

The parameters indicated in figure D.I (Ca, Cq, Cq, Cq, Pa. Fq, P/^, Pq, W^, W2. W3), and their 
weightings, would need to be accurately defined for each specific situation or sector 
comparable industries, and would also need to be defined in application sector international 
standards. 
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D.5 Risk graph example 

An example of a risk graph implementation based on the example data in table D.1, is shown in 
figure D.2. Use of the risk parameters C, F, and P lead to one of eight outputs. Each one of 
these outputs is mapped onto one of three scales (W^, W2 and H/3). Each point on these 
scales (a, b, c, d, e, f, g and h) is an indication of the necessary risk reduction that has to be 
met by the safety-related system. 

NOTE - Further information on this risk graph implementation is given in reference [2] in annex F. 



Starting point 

for risk reduction 

estimation 



c* 



rf 



Gtntraltzed amngtfnvnt 

(in practical imfMmentations 

tha arrangamant is apacif ic to 

Vhm applicationa to ba covarad 

by tha rith grapfi) 



£ 



C = Consequence risk parameter 

F - Frequency and exposure time risk parameter 

P = Possibility of failing to avoid hazard ris< parameter 

W = ProbatHlity of ttie unwanted occurrence 






x,i 



w 

"3 



a 



w„ 



4 



L 



IV. 



— = No safety requirements 
a = No special safety requirements 
b = A single E/E/PES is not sufficient 
1 , 2, 3, 4 = Safety integnty level 



Figure D.I — Risk graph: general scheme 
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starting point 

for risit reduction 

estimation 

• 




C = Consequence risk parameter 

F = Frequency and exposure lime risl< 
parameter 

P - Possibility of avoiding hazard risk 
parameter 

W = Probability of the unwanted 
occurrence 

a, b, c ... h = Estimates of the required risk 
reduction for the SRSs 





1^1 




^ 




Wi 






a 
b 




- 




- 




a 


- 


c 


b 


a 


d 


c 


b 


e 


d 


c 


f 


e 


d 


9 


t 


e 


h 


9 


f 

















a. b, c, d, e, f, g, h raprasant tha 
necasaary minimum rlalt 
reduction. Tha link between the 
necaaaary minimum riak 
reduction and tha aafaty intagrity 
level la ahown in the table. 



Necessary 

minimum risk 

reduction 


Safety integrity level 


- 


No safety requirements 


a 


No special safety 
requirements 


be 


1 


d 


2 


e.f 


3 


a 


4 


h 


An E/E/PE SRS is not 
sufficient 



; 



Figure D.2 - Risk graph: example (illustrates general principles only) 
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Table D.I - Example data relating to example risk graph (figure D.2) 



Risk parameter 



Classification 



Comments 



Consequence (C) 



C3 
C4 



Minor injury 

Serious permanent injury 
to one or more persons; 
death to one person 

Death to several people 

Very many people killed 



The classification system has been developed 
to deal with injury and death to people. Other 
classification schemes would need to be developed 
for environmental or material damage. 

For the interpretation of C, , C^, C3 and C4, the 
consequences of the accident and normal healing 
shall be taken into account. 



Frequency of, and 

exposure time In, 

the hazardous zone (F) 



F, 



Rare to more often expo- 
sure in the hazardous zone 

Frequent to permanent 
exposure in the hazardous 
zone 



3 See comment 1 above. 



Possibility of avoiding 
the hazardous event (P) 



Pi 



Possible under certain 
conditions 

Almost impossible 



4 This parameter takes into account 

- operation of a process (supervised (i.e. operated 
by skilled or unskilled persons) or unsupervised); 

- rate of development of the hazardous event 
(for example suddenly, quickly or slowly); 

- ease of recognition of danger (for example seen 
immediately, detected by technical measures or 
detected without technical measures); 

- avoidance of hazardous event (for example escape 
routes possible, not possible or possible under 
certain conditions); 

- actual safety experience (such experience may exist 
with an identical EUC or a similar EUC or may not 
exist). 



Probability of the un- 
wanted occurrence (IV) 



W, 



W, 



W, 



A very slight probability 
that the unwanted occur- 
rences will come to pass 
and only a few unwanted 
occurrences are likely 

A slight probability that 
the unwanted occurrences 
will come to pass and few 
unwanted occurrences 
are likely 

A relatively high probability 
that the unwanted occur- 
rences will come to pass 
and frequent unwanted 
occurrences are likely 



The purpose of the IV factor is to estimate the 
frequency of the unwanted occurrence taking place 
without the addition of any safety-related systems 
(E/E/PE or other technology) but including any 
external risk reduction facilities. 

If little or no experience exists of the EUC, or the 
EUC control system, or of a similar EUC and 
EUC control system, the estimation of the 
IV factor may be made by calculation. In such 
an event a worst case prediction shall be made. 
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Annex E 

(informative) 

Determination of safety integrity levels - A qualitative method: 
hazardous event severity matrix 



E.I General 

The numeric method described in annex C is not applicable where the risk (or the frequency 
portion of it) cannot be quantified. This annex describes the hazardous event severity matrix 
method, which is a qualitative method that enables the safety integrity level of an E/E/PE 
safety- related system to be determined from a knowledge of the risk factors associated with 
the EUC and the EUC control system. It is particularly applicable when the risk model is as 
indicated in figures A.I and A. 2. 

The scheme outlined in this annex assumes that each safety-related system and external 
reduction facility is independent. 

This annex is not intended to be a definitive account of the method but is intended to illustrate 
the general principles of how such a matrix could be developed by those having a detailed 
knowledge of the specific parameters that are relevant to its construction. Those intending to 
apply the methods indicated in this annex should consult the source material referenced. 

NOTE - Further Information on the hazardous event matrix is given in reference [3] in annex F. 



E.2 Hazardous event severity matrix 

The following requirements underpin the matrix and each one is necessary for the method to 
be valid; 

a) the safety-related systems (E/E/PE and other technology) together with the external risk 
reduction facilities are independent; 

b) each safety-related system (E/E/PE and other technology) and external risk reduction 
facilities are considered as protection layers which provide, in their own right, partial risk 
reductions as indicated in figure A.I; 

NOTE 1 - This assumption is valid only if regular proof tests of the protection layers are carried out 

c) when one protection layer (see b) above) is added, then one order of magnitude 
improvement in safety integrity is achieved; 

NOTE 2 - This assumption is valid only if the safety-related systems and external risk reduction facilities 
achieve an adequate level of independence. 

d) only one E/E/PE safety-related system is used (but this may be in combination with an other 
technology safety-related system and/or external risk reduction facilities), for which this 
method establishes the necessary safety integrity level. 
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The above considerations lead to the hazardous event seventy matrix shown in figure E.I, It 
should be noted that the matrix has been populated with example data to illustrate the general 
principles For each specific situation, or sector comparable industries, a matnx similar to 
figure E 1 would be developed 



Number of independant 
SRSs and external risk 
reduction facilities [E] 

(inclufling tne E/E/PE SRS 
Doing Classified) 



(C] 


[C] 


[C] 


(Cj 


[C] 


SIL1 


SIL1 


SIL1 


SIL2 


Low 


Med 


High 


Event 
likelihood [D] 



[C] 


[C] 


[C] 


[C] 


SIL1 


SIL2 


SIL1 


SIL2 


SIL3 
[B] 


Low 


Med 


High 


Event 
likelihood [D] 



[C] 


SIL1 


SIL1 


SIL1 


SIL2 


SIL3 
[B] 


SIL3 
(Bl 


SIL3 
tBl 


SIL3 
[Al 


Low 


Med 


High 


Event 
likelihood [D] 



Minor I Serious {Extensive 

Hazardous event severity 



[A] One SIL 3 E/E/PE safety-related system does not provide sufficient nsk reduction at this risk level 

Additional nsK reduction measures are required 

[Bj One SIL 3 E/E/PE safety-related system may not provide sufficient nsk reduction at ttiis nsk level Hazard 

and nsk analysis is required to determine wtiettier additional nsk reduction measures are necessary. 

[C| An independent E/E/PE safety-related system is protjatjty not required. 

[D] Event likelihood is the likelihood ttiat the hazardous event occurs without any safety related systems or 
external risk reduction facilities 

[E] SRS = safety- related system Event likelihood and the total number of independent protection layers are 
defined m relation to the specific application. 



Figure E.I - Hazardous event severity matrix: 
example (illustrates general principles only) 
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Southern : C.I T. Campus. IV Cross Road. CHENNAI 600 113 f 2254 1216,2254 1442 

2254 2519,2254 2315 



{ 



Western : Manakalaya, E9 MIDC. Marol, Andheri (East) T 2832 9295, 2832 7858 

MUMBAI 400 093 \ 2832 7891 , 2832 7892 

Branches: AHMEDABAD. BANGALORE. BHOPAL. BHUBANESHWAR. COIMBATORE. FARIDABAD. 
GHAZIABAD. GUWAHATI. HYDERABAD. JAIPUR. KANPUR. LUCKNOW. NAGPUR. 
PARWANOO. PATNA. PUNE. RAJKOT. THIRUVANANTHAPURAM. VISAKHAPATNAM. 



Primed by the Mviager. Govt of India Press. Faridabad 



